The changing role of

internal audit

June 2012
www.deloitte.com/in
 The current scenario
All organisations are subject to fraud risks and there
have been several instances in the past couple of
decades when frauds have led to the downfall of
organisations as a whole. Some notable examples
include, Enron and Worldcom in the USA and Satyam
near home. The current economic slowdown has
brought to surface a number of high profile frauds like
the Reebok and Citibank cases thereby increasing the
focus on fraud risk management. Global regulations
like the US Foreign Corrupt Practices Act (FCPA), UK
Bribery Act, Sarbanes Oxley Act have increasingly put
responsibility on the management of organisations
to implement an effective fraud risk management
framework. In the wake of increasing incidents of frauds
in the financial service sector, the Reserve Bank of India
(RBI) introduced guidelines for comprehensive Fraud Risk
Management (FRM) system for banks.
With increased regulatory focus and widespread
negative impact of frauds, the managements and
senior executives are increasingly concerned about
the vulnerability and exposure of their businesses/
organisations to frauds and whether or not they are
adequately protected. A recent survey undertaken by
Deloitte for fraud in Indian banks indicated that more
than half the frauds were detected by internal audit
reviews. This brings into focus the role of internal audit
in fraud risk management.
Fraud Detection mechanism
53%
43%
40%
37%
20% 20%
17%
Anonymous Internal Whistleblower By Fraud detection/ Others Not
complaint by audit/legal/ mechanism accident analytics solution disclosed
external party compliance
Source: India Banking Fraud Survey 2012
2
As the mandate and role of internal audit continue
to evolve, managements are increasingly counting on
internal audit functions in their efforts for managing
fraud risks and keeping organisations protected.
Increasingly, the internal audit function is not to monitor
and detect but also to investigate fraud incidences
when they arise. The role of internal audit in fraud
risk management by way of preventing, detecting and
investigating fraud has amplified as a result of economic
uncertainty and increased focus of certain organisation's
management on fraud risks.
Internal Audit - the traditional role
According to Chartered Institute of Internal Auditors,
the role of internal audit is to provide independent
assurance that an organisation’s risk management,
governance and internal control processes are operating
effectively. Unlike external auditors, they look beyond
financial risks and statements to consider wider issues
such as the organisation’s reputation, growth, its impact
on the environment and the way it treats its employees.
Objective examination to provide accurate and
current information to the stakeholders about
the efficiency and effectiveness of its policies
Assurance
and operations, and the status of its compliance
with the statutory obligations
Assessment Assessing and making recommendations on the
and effectiveness of the existing controls
Recommen- Demonstrates informed, accountable decision
dations making with regard to ethics, compliance, risk,
economy and efficiency
Assessing and making recommendations on the
effectiveness of the existing controls
Oversight Demonstrates informed, accountable decision
making with regard to ethics, compliance, risk,
economy and efficiency
Assessing and making recommendations on the
effectiveness of the existing controls
Advisory Demonstrates informed, accountable decision
Services making with regard to ethics, compliance, risk,
economy and efficiency
The below chart provides the fundamental functions of
an internal audit team.
The changing role of Internal Audit
The ever increasing regulations and expansion of
organisations across the globe into new markets exposed
the organisations to greater regulatory and compliance
risks. Regulators expect thorough due diligence, oversight
and background checks to be performed on partners,
vendors, suppliers and others. As fraud has a number
of negative impacts on organisations – financial and
reputational – it is important for the organisations to have
a strong fraud prevention programme.
As organisations work towards reducing the losses due
to fraud, their anti-fraud programmes are increasingly
looking towards the internal audit function for support
in light of the fact that over time as internal auditors
review systems in the organisation, they develop an
overall knowledge of the organisation’s processes, risks,
control systems and personnel which can contribute to
an effective fraud risk management.
The IIA provides mandatory guidance for internal
auditors in its International Professionals Practices
Framework (IPPF). Internal auditors are expected to
have sufficient knowledge to evaluate the risk of fraud
in their organisations, and are required to report to the
board any fraud risks found during their investigations.
IPPF also expects the internal audit activity to evaluate
the potential for the occurrence of fraud and how the
organisation manages its fraud risk. The expectation is
that internal auditing should provide objective assurance
to the board and management that fraud controls are
sufficient for identified fraud risks and ensure that the
controls are functioning effectively. Internal auditors
may review the comprehensiveness and adequacy of the
risks identified by management — especially with regard
to management override risks.
So how can this work in practice?
While planning their annual audit plan, internal
auditors should consider the assessment of fraud
risk and review management’s fraud management
capabilities periodically. They should regularly and
closely communicate with those responsible for risk
assessments in the organisation and also others in key
roles throughout the organisation, to ensure timely
fraud risk management. Internal auditors, during their
assignments, should spend an adequate time and
attention to evaluating the framework and internal
controls related to fraud risk management. It is also
imperative to have a well-defined response plan to
handle potential frauds uncovered during an internal
audit assignment.
Coping up with the new role Sources:
1. IPPF – Practice Guide on
Though the role and responsibility of internal audit
Internal Auditing and Fraud
function may vary in scope and authority in different 2. Managing the Business Risk
organizations, there is a clear trend that internal audit is of Fraud: A Practical Guide
– Paper sponsored by IIA,
taking on a more strategic and central role. With these
AICPA and ACFE.
changes, the increased interaction between the evolving
internal audit function and its major stakeholders is
an important area for organisations to focus on and
develop. Organisations can be walking on a dangerous
tightrope where senior management believe that the
internal audit function is providing assurance in respect
of fraud risk assessment, detection and investigation,
whereas reality is that internal audit are under resourced
or inadequately trained and constrained in their ability
to meet the expected delivery. Apart from this, gaps can
also exist in the levels of support and training that are
provided to internal auditor and could mean that their
ability to be effective could be highly compromised.
The way forward
An organisation’s commitment to effective internal
control should be reflected directly in the importance it
attaches to its internal audit function. The internal audit
charter, approved by the board or audit committee,
should clearly identify the roles and responsibilities of
internal audit with respect to fraud risks. This could include
roles in relation to fraud risk management, initial or full
investigation of suspected fraud, root cause analysis and
control improvement recommendations, monitoring of
a reporting/whistleblower hotline, and providing ethics
training sessions. If the internal audit activity is responsible
for the investigation, it may conduct an investigation
using in-house staff, outsourcing, or a combination of
both. This will require fraud investigation teams to obtain
sufficient knowledge of fraudulent schemes, investigation
techniques, and applicable laws. In organisations where
primary responsibility for the investigation function is not
assigned to the internal audit activity, the internal audit
activity may still be asked to help gather information and
make recommendations for internal control improvements.
It is, therefore, of utmost importance that internal audit
functions are adequately funded, staffed, and trained,
with appropriate specialised skills depending upon the
nature, size, and complexity of the operating environment
of an organisation. Also it is essential for the internal audit
function to have independent authority and reporting lines
and have adequate access to the audit committee.
The changing role of internal audit 3
Authors
Nishkam Ojha is a Manager and can be contacted at nojha@deloitte.com

Deloitte refers to one or more of Deloitte Touche Tohmatsu Limited, a UK private company limited by guarantee, and its network of member
firms, each of which is a legally separate and independent entity. Please see www.deloitte.com/about for a detailed description of the legal
structure of Deloitte Touche Tohmatsu Limited and its member firms.

This material and the information contained herein prepared by Deloitte Touche Tohmatsu India Private Limited (DTTIPL) is intended to provide
general information on a particular subject or subjects and is not an exhaustive treatment of such subject(s). None of DTTIPL, Deloitte Touche
Tohmatsu Limited, its member firms, or their related entities (collectively, the “Deloitte Network”) is, by means of this material, rendering
professional advice or services. The information is not intended to be relied upon as the sole basis for any decision which may affect you or
your business. Before making any decision or taking any action that might affect your personal finances or business, you should consult a
qualified professional adviser.

No entity in the Deloitte Network shall be responsible for any loss whatsoever sustained by any person who relies on this material.

©2012 Deloitte Touche Tohmatsu India Private Limited. Member of Deloitte Touche Tohmatsu Limited